Security

CVE-2001-1593: The spy_user function which is called when a2ps is invoked with the --debug flag insecurely used temporary files.

CVE-2014-0466: Brian M. Carlson reported that a2ps's fixps script does not invoke gs with the -dSAFER option. Consequently executing fixps on a malicious PostScript file could result in files being deleted or arbitrary commands being executed with the privileges of the user running fixps.

This update for crowbar-barclamp-network fixes handling of security groups where new instances with floating IPs would not be protected by the firewall and could end up reachable from the outside.

libcurl incorrectly validates wildcard SSL certificates containing literal IP addresses.(CVE-2014-0139)

When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature (whether it was signed by a trusted CA) and validity (whether the date was within the certificate's lifetime and it was not revoked) verifications were still performed. (CVE-2014-1263)

When asked to do a TLS connection (HTTPS, FTPS, IMAPS, etc) to a URL specified with an IP address instead of a name, libcurl would wrongly not verify the server's name in the certificate. The signature (whether it was signed by a trusted CA) and validity (whether the date was within the certificate's lifetime and it was not revoked) verifications were still performed. (CVE-2014-2522)

Daniel Stenberg reported the following vulnerability in cURL:

libcurl can in some circumstances re-use the wrong connection when asked to do transfers using other protocols than HTTP and FTP.

libcurl features a pool of recent connections so that subsequent requests can re-use an existing connection to avoid overhead.

When re-using a connection a range of criterion must first be met. Due to an error in the code, a transfer that was initiated by an application could wrongfully re-use an existing connection to the same server that was authenticated using different credentials. The existing logic basically only worked well enough for HTTP and FTP, while all other network protocols were silently, but erroneously, assumed to work like HTTP. Basically, protocols that use connection oriented authentication need a new connection when new credentials are used.

Affected protocols include: SCP, SFTP, POP3(S), IMAP(S), SMTP(S) and LDAP(S).

The BEGIN regular expression in the awk script detector in magic/Magdir/commands in file before 5.15 uses multiple wildcards with unlimited repetitions, which allows context-dependent attackers to cause a denial of service (CPU consumption) via a crafted ASCII file that triggers a large amount of backtracking, as demonstrated via a file with many newline characters.

Multiple integer overflows in GNU Grep before 2.11 might allow context-dependent attackers to execute arbitrary code via vectors involving a long input line that triggers a heap-based buffer overflow.

Adrian Panasiuk discovered that the KDirStat (KDE Directory Statistics) tool did not correctly escape quotes when deleting a directory permanently. Attempting to use KDirStat to permanently delete a directory that has a malicious name could result in arbitrary command execution.

From the Fedora bug reports:

(1) An information leak flaw was found in the way way segmentation was performed on skbs originated from vhost-net when zerocopy feature was enabled. Once the source skb is consumed, ubuf destructor is called and potentially releases the corresponding userspace buffers, which can then for example be repurposed, while the destination skb could still be pointing to the them. (CVE-2014-0131)

(2) Some occurences in the netfilter tree use skb_header_pointer() in the following way ...

  struct dccp_hdr _dh, *dh;
  ...
  skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);

... where dh itself is a pointer that is being passed as the copy buffer. Instead, we need to use &_dh as the forth argument so that we're copying the data into an actual buffer that sits on the stack.

A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. (CVE-2014-2523)

(3) Linux kernel built with the IPv6 protocol support(CONFIG_IPv6) is vulnerable to a kernel crash caused by a flood of IPv6 router advertisement(RA) packets. It occurs while processing the IPv6 router advertisement packets.

A remote attacker in the same layer 2 segment can use this flaw to crash the kernel on a target system, resulting in DoS. (CVE-2014-2309)

CVE-2014-0054: Jaxb2RootElementHttpMessageConverter in Spring MVC processes external XML entities.

CVE-2014-1904: Spring MVC introduces a cross-site scripting vulnerability if the action on a Spring form is not specified.

Nicolas Gregoire discovered several vulnerabilities in libxalan2-java, a Java library for XSLT processing. Crafted XSLT programs could access system properties or load arbitrary classes, resulting in information disclosure and, potentially, arbitrary code execution.

Ivan Fratric of the Google Security Team discovered a heap-based buffer overflow vulnerability in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a specially-crafted YAML document that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application.

mod/chat/chat_ajax.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly check for the mod/chat:chat capability during chat sessions, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by remaining in a chat session after an intra-session capability removal by an administrator. (CVE-2014-0122)

The wiki subsystem in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 does not properly restrict (1) view and (2) edit access, which allows remote authenticated users to perform wiki operations by leveraging the student role and using the Recent Activity block to reach the individual wiki of an arbitrary student. (CVE-2014-0123)

The identity-reporting implementations in mod/forum/renderer.php and mod/quiz/override_form.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 do not properly restrict the display of e-mail addresses, which allows remote authenticated users to obtain sensitive information by using the (1) Forum or (2) Quiz module. (CVE-2014-0124)

repository/alfresco/lib.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 places a session key in a URL, which allows remote attackers to bypass intended Alfresco Repository file restrictions by impersonating a file's owner. (CVE-2014-0125)

Cross-site request forgery (CSRF) vulnerability in enrol/imsenterprise/importnow.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote attackers to hijack the authentication of administrators for requests that import an IMS Enterprise file. (CVE-2014-0126)

The time-validation implementation in (1) mod/feedback/complete.php and (2) mod/feedback/complete_guest.php in Moodle through 2.3.11, 2.4.x before 2.4.9, 2.5.x before 2.5.5, and 2.6.x before 2.6.2 allows remote authenticated users to bypass intended restrictions on starting a Feedback activity by choosing an unavailable time. (CVE-2014-0127)

badges/mybadges.php in Moodle 2.5.x before 2.5.5 and 2.6.x before 2.6.2 does not properly track the user to whom a badge was issued, which allows remote authenticated users to modify the visibility of an arbitrary badge via unspecified vectors. (CVE-2014-0129)

PlRPC uses Storable module for serialization and deserialization of untrusted data. Deserialized data can contain objects which can lead to loading of foreign modules, and possible execution of arbitrary code.

A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack.

A denial of service flaw was found in Squid when SSL-Bump was used. When SSL-Bump is enabled, an attacker could send crafted requests that would cause Squid to crash with an assertion.

This issue affects versions 3.1 and later. Versions 3.0 and older, and version 2, are not vulnerable. The issue was fixed in versions 3.3.12 and 3.4.4.

A flaw was found in the way stunnel, a socket wrapper which can provide SSL support to ordinary applications, performed (re)initialization of PRNG after fork. When accepting a new connection, the server forks and the child process handles the request. The RAND_bytes() function of openssl doesn't reset its state after the fork, but seeds the PRNG with the output of time(NULL). The most important consequence is that servers using EC (ECDSA) or DSA certificates may under certain conditions leak their private key.